Administración de Oracle Solaris: interfaces y virtualización de redes
Virtualización Apolinar González Alfons Crespo · 3 Conceptos previos Máquina virtual (VM):...
Transcript of Virtualización Apolinar González Alfons Crespo · 3 Conceptos previos Máquina virtual (VM):...
Virtualización
Apolinar GonzálezAlfons Crespo
2
OUTLINE
Introduction Virtualisation techniques Hypervisors and real-time TSP Roles and functions Scheduling issues Case study: XtratuM
3
Conceptos previos
Máquina virtual (VM): software que implementa una máquina (computadora) como el comportamiento real.
Hipervisor (también virtual machine monitor VMM) es una capa de software (o combinación de software/hardware) que permite ejecutar varios entornos de ejecución independientes o particiones en un computador.
Partición: Entorno de ejecución de programas. Ejemplos: Linux + aplicaciones; un sistema operativo de tiempo real + tareas; …
4
Conceptos previos
Hypervisor
Partition
5
INTRODUCTION: Isolation
Temporal isolation refers to the system ability to execute several executable partitions guaranteeing:
• the timing constraints of the partition tasks • the execution of each partition does not depend on the temporal behaviour of other partitions.
The temporal isolation enforcement is achieved by means of a scheduling policy:
• Cyclic scheduling, the ARINC 653• Periodic Priority Server• EDF Server• Priority
6
PARTITIONED SYSTEMS
Temporal Isolation:
P1P1 P1P1 P2P2P2P2 P2P2 P2P2P3P3
MAF (Major Frame)
Slot (temporal window)Origin relative to MAF
duration
Slot id = 3 start = 400ms duration = 100 partition: P1P1P1
Execution
MAF 1 MAF 2 MAF 3 MAF 4
7
INTRODUCTION: Isolation
Spatial isolation refers to the system ability to detect and avoid the possibility that a partition can access to another partition for reading or writing.
The hardware shall provide some mechanisms to guard against violations of spatial isolation.
The spatial isolation property states that data processing in any partition can not access to any memory address outside of the its address memory region.
8
PARTITIONED SYSTEMS
Space Isolation:
Memory
P3P3
P2P2
P1P1
XtratuM
XtratuM
Memory
P3P3
P2P2
P1P1
XtratuM
XtratuM
P3P3
P2P2
P1P1
XtratuM
XtratuM
P3P3
P2P2
P1P1
XtratuM
XtratuM
9
INTRODUCTION: Benefits
Hardware independence: The hypervisor can implement virtualised hardware (legacy or not available hw).
OS/RTOS: several OS can be executed on the same hardware.
Security: divide complex applications in clearly isolated parts according to the security/criticallity requirements.
Reuse of legacy code: Mix the old (but well tested and validated) code jointly with new new services and applications.
IP protection: Use applications with different/incompatible licenses.
Multicore migration: No need to change the RTOS to get all the power of the new multicore processors.
10
Partitioned systems
Partitioned sytems are integrated by several “isolated” partitions
Each partition has its own runtime (guest OS) and its application
Partitioned systems involve a change in thinking from physical to logical, considering system resources as logical resources rather than separate physical resources.
11
INTEGRATED MODULAR AVIONICS: IMA
The IMA concept proposes an integrated architecture with application software portable across an assembly of common hardware modules. An IMA architecture imposes multiple requirements on the underlying operating system.
AppLevel
A
AppLevel
A
RTOS
RTOS
HWHW
AppLevel
C
AppLevel
C
RTOS
RTOS
HWHW
AppLevel
B
AppLevel
B
RTOS
RTOS
HWHW
AppLevel
A
AppLevel
A
RTOS
RTOS
AppLevel
C
AppLevel
C
RTOS
RTOS
HWHW
AppLevel
B
AppLevel
B
RTOS
RTOS
Federated architectureIntegrated Modular Avionics
12
INTEGRATED MODULAR AVIONICS IMA
IMA design brings in the notion of time, space and resource partitioning. IMA architecture contains:
• A partitioning kernel that runs in supervisor mode and provides TSP and a set of services. • Within each partition, the applications execute in user mode completely isolated from other applications. • The operating system makes each application behave as if it has exclusive use of the platform when, in fact, it is sharing the platform with many other applications.
13
PARTITIONED SYSTEMS
ARINC-653 (Avionics Application Standard Software Interface) is an industrial avionics standard published by Aeronautical Radio.
It is a software specification for space and time partitioning in Safety-critical avionics real-time operating systems. It delivers a set of services and functionalities to host multiple applications of different software levels on the same hardware in the context of a Integrated Modular Avionics architecture.
Each application is an entity called partition.
14
PARTITIONED SYSTEMS
ARINC-653 defines an API called APplication EXecutive (APEX) for space and time partitioning. • Space: Each partition has a separate address space and can not access (read or write) to other address spaces. This mechanism isolates partition memory and prevents access to other partitions. • Time: Each partition is scheduled according to a static cyclic scheduling plan. The plan is reapeated at the plan duration (ma jor frame, MAF) rate. Time isolation means that a partition execution does not depend on the others. In other words, an error in a partition does not affect other partitions.
15
PARTITIONED SYSTEMS
ARINC 653 provides the following services through its API at two levels:
•Partitioning level• Partition Management • Time Management • Interpartition Communication: Partitions can communicate through specified ports and channels supervised by the kernel. • Health Monitoring
• Partition level• Process Management• Intrapartition Communication
16
Example
UserInterface
Apps.
UserInterface
Apps.
GPOSGPOS
Remote
Access service
s.
Remote
Access service
s.
SecureOS
SecureOS
HW
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
VirtualiserVirtualiser
System Manage
ment
System Manage
ment
RTSRTS
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
Several replicas
17
Example
UserInterface
Apps.
UserInterface
Apps.
GPOSGPOS
Remote
Access service
s.
Remote
Access service
s.
SecureOS
SecureOS
HW
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
VirtualiserVirtualiser
System Manage
ment
System Manage
ment
RTSRTS
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
System Container
Par.1
Par.2
Par.3
Dynamically to upgrade partitions
18
Example
UserInterface
Apps.
UserInterface
Apps.
GPOSGPOS
Remote
Access service
s.
Remote
Access service
s.
SecureOS
SecureOS
HW
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
VirtualiserVirtualiser
System Manage
ment
System Manage
ment
RTSRTS
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
Perform a system analysis and decide to - Restart/stop/reload a partitions
Log-stream
Health MonitorLogstream
19
Example
UserInterface
Apps.
UserInterface
Apps.
GPOSGPOS
Remote
Access service
s.
Remote
Access service
s.
SecureOS
SecureOS
HW
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
VirtualiserVirtualiser
System Manage
ment
System Manage
ment
RTSRTS
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
Health MonitorLogstream
Certified
20
Example
UserInterface
Apps.
UserInterface
Apps.
GPOSGPOS
Remote Access
services.
Remote Access
services.
SecureOSSecureOS
HW
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
VirtualiserVirtualiser
System Manage
ment
System Manage
ment
RTSRTS
Basic Contro
lLogic
Basic Contro
lLogic
RTOSRTOS
Certified
No need of new certification
21
OVERVIEW
XtratuM is a hypervisor (bare-metal) designed to meet safety critical real-time requirements
Uses para-virtualisation techniques Strong temporal isolation: fixed cyclic scheduler Strong/partial spatial isolation: every partition is
executed in processor user mode, and does not share memory. Without MMU read operations cannot be protected (very high cost)
Robust communication mechanisms (ARINC sampling and queueing ports)
Robust error management via the Health-Monitor Devices can be directly managed by partitions. Shared
devices can be organised in a IOServer All resources are allocated via a Configuration Table (XML) Tracing facilities
22
ARCHITECTURE
23
XTRATUM APPROACH
The approach followed in XtratuM A clear separation for the low level services
(hypervisor level) from the application services It deals with the services related to partitions
(strong achievements of isolation properties) It does not define how the partition shall work Partition can allocate different OSes (real-time,
secure, general-purpose) which facilities the integration of software from multiple providers
Enforces the roles of the integrator and developers
24
INTRODUCTION
It provides virtual machines (VM) to execute applications in partitions.
XtratuM manages partitions and is aware of the partition nature.
Partitions can be: • A single thread application as a bare partition on top of TOE.• A multi-thread application developed on top of a RTOS. The RTOS needs to be para-virtualised to be executed on top of the TOE. The para-virtualisation guarantees that the RTOS can not use directly the system resources and requires to use the services provided by the TOE to use the virtualised resources.• A general purpose operating system (Linux). It has to be paravirtualised.
25
ARCHITECTURE
Partitions can be: Single thread partition. Para-virtualised, no
internal overhead, low overhead (hypervisor)
#include <xm.h>#include ”std_c.h"
void PartitionMain(void) { unsigned long counter=0; int dec, frac; float f=0.0;
while(1) { counter++; f=(float)counter*(3.0/7.0); if (!(counter%10000)) { xprintf("%d.%d\n", dec, frac); } if (counter==300000) { XM_halt_partition(XM_PARTITION_SELF); } }}
26
ARCHITECTURE
Partitions can be: Single thread partition. Para-virtualised, no
internal overhead, low overhead (hypervisor) Multi thread partition based on cyclic
scheduling. Para-virtualised, no internal overhead, low overhead (hypervisor)
#include "../extras/std_c.h"#include <xm_glib.h>
void event_handler(int irqnr) { XM_unmask_event(XM_HWTIMER_EVENT); next_period = 1;}void task1(void) {......}void task2(void) {......}
void PartitionMain(void) { xm_time secondaryCycle = .....;
int MAF = ....;int nSlot = ....;
XM_get_time(XM_HW_CLOCK, ¤t_clock); XM_set_timer(XM_HW_CLOCK, current_clock, secondaryCycle);
XM_enable_irqs();XM_unmask_event(XM_HWTIMER_EVENT);
nSlot = 0; while (1) { switch (nSlot) { case 0: task1(); task2(); break; case 1: task1(); task3(); break;
………… default : break;
} nSlot++; if (nSlot == 4) nslot = 0;
while (next_period == 0); //Waits next timer event next_period = 0; }}
27
DEVELOPMENT ENVIRONMENTS
XAL (XtratuM Abstraction Layer) TSPAL (Temporal and Spatial
Partitioning Abstraction Layer) PartiKle Lithos RTEMS OSEK Linux
Android Meego
28
DEVELOPMENT ENVIRONMENTS
XAL (XtratuM Abstraction Layer) XAL is a developing environment to
create plain ``C'' applications. It is provided jointly with the XtratuM core.
It provides the libraries and scripts to compile and link a ``C'' application.
Libraries: stdio, math, …. It permits to execute single thread “C”
programs as partitions
29
DEVELOPMENT ENVIRONMENTS
LithOS It is a para-virtualised guest operating
system which uses the services provided by XtratuM to offer the complete ARINC-653 APEX to the applications.
It provides the following services Partition Management Interpartition communication Process Management Intrapartition communication Time Management Health Monitor Multiple scheduling (extended services) Non portable services
30
LITHOS
Services
Low footprint < 64KB.
+ Other services (non portable) to permit to stop/reset/suspend/resume other partitions or access to system information: start of the slot, slot identification, …
31
DEVELOPMENT ENVIRONMENTS
RTEMS RTEMS 4.8.1 has been para-virtualised to be
executed as partition on top of XtratuM Two new BSP has been defined: xm2leon2 /
xm3leon3 IRQ management, clock management, …..
Conceptual problem with time during the time the partition is not scheduled. Two approaches: Clock reference is the system clock (ARINC653). Ticks are
accumulated at the beginning of the partition (this is the implemented option). Delays and Periods are relative to the hardware clock.
Clock reference is the partition execution time. Delays
and Periods are relative to the execution clock.
32
ARCHITECTURE
Partitions can be: Single thread partition. Para-virtualised, no
internal overhead, low overhead (hypervisor) Multi thread partition based on cyclic
scheduling. Para-virtualised, no internal overhead, low overhead (hypervisor)
Multi thread partition (rtos). RTOS (PartiKle, RTEMS, ORK) need to be para-virtualised. Applications do not need modifications. Additional internal overhead (thread context switch) + low overhead (hypervisor).
33
PARTITIONS
Partition: Execution Environment (EE) managed by the hypervisor which uses the virtualised services
Limited by the amount of memory and CPU usage
Performance is not affected by the number of partitions
Two kinds of partitions: user and supervisor
Supervisor partitions can use some specific services
34
SYSTEM CONFIGURATION
The system resources and the information flows are defined in the configuration file: XM_CF. It specifies:
The hardware: Processor, memory available and devices
Resident software Hypervisor Partitions Communication channels ….
35
SCHEDULING
Temporal partitioning Scheduling policy based on ARINC-653 cyclic
scheduling Parameters: Major Frame (MAF) and slots
Slots are defined using an offset with respect to the MAF and a duration
Number of slots does not affect to the performance Multiple schedule: several plans can be
defined. plan 0: Initialisation plan 1: Maintenance plan2: Normal ……
36
SCHEDULING
Temporal partitioning: Example
37
MEMORY ALLOCATION
Spatial partitioning MMU/MPU Write protection mechanism Read protection cannot be achieved without specific
hardware support. Too expensive cost (full emulation via code analysis).
Partitions are allocated at specific memory addresses (XML)
38
COMMUNICATION
Inter-partition communications Two basic mechanisms:
Sampling ports: support for broadcast, multicas and unicast messages
Queueing ports: support for buffered unicast communication between partitions. Messages are delivered in FIFO order
Channels are the link between ports
39
COMMUNICATION
40
TIME MANAGEMENT
Clock and timers are virtualised to the partitions
Hw clock: associated with the native hw clock. Resolution 1usec
Execution clock: associated with the execution of the partition. This clock is only enabled when the partition is being executed. Resolution 1 usec
Timer based on the HW clock. Resolution 1usec Timer based on the Execution clock. Resolution
1usec
41
IO MANAGEMENT
IO Access IO devices are directly handled by a partition
(specified in the XML) XtratuM permits the access to the IO ports Only one partition can access to a IO port
42
INTERRUPT MODEL
43
HEALTH MONITOR
Health Monitoring Health Monitor discovers the errors and tries to
solve or confine the faulting subsystem in order to avoid or reduce the possible consequences (enforcing isolation).
44
HEALTH MONITOR
The XtratuM Health Monitor system is composed of four logical blocks:
HM event detection: to detect abnormal states, using logical probes in the XtratuM code.
HM actions: a set of predefined actions to recover the fault or confine the error.
HM configuration: to bind the occurence of each HM event with the appropriate HM action.
HM notification: to report the occurrence of the HM events.
Three event sources: Hardware: generated by the resources XtratuM: assertion results (probes) included in the code Partition: generated by the partition as result of an internal state
evaluation
45
HEALTH MONITOR
46
SERVICES
Services are provided via hypercalls
47
CONFIGURATION AND DEPLOYMENT
System Configuration System configuration file (XML)
48
DEPLOYMENT SNAPSHOOT
49
CONFIGURATION AND DEPLOYMENT
50
CONCLUSIONS
Virtualisation techniques based on Hypervisors are the most appropriated solutions for partitioned systems
Paravirtualisation + dedicated devices is the best option for embedded/real-time systems
The benefits of Partitioned systems are fully achieved using virtualisation techniques
Bare metal Hypervisors achieve strong spatial and temporal isolation and security functions
Appropriated scheduling techniques are still needed for partitioned systems
51
CONCLUSIONS
XtratuM is a hypervisor that achieves excellent results in performance and security issues
It is being used in space to build TSP systems There is a need of tools to help the different
roles in the TSP development